Managing transformation projects
Transformation programme is a common phrase. And the pace of change is relentless. We explore what it means for internal audit assurance and advisory engagements alongside considering questions for audit leaders to discuss with their stakeholders.
Catalytic shifts in an enterprise are often driven by changes in the macro-environment such as competition and regulation, the organisation itself through mergers/acquisitions or new leadership and as a consequence of technology for example digitisation and artificial intelligence.
Business transformation typically takes three forms: efficiency, foundation and strategic:
Efficiency
- Doing the same but cheaper and/or faster.
- Airlines exploiting technology to check-in for flights.
Foundation
- Change to core operating model, fundamental shift in the way business is done.
- Netflix streaming movie content making postal DVD subscription method obsolete.
Strategic
- Changing the core purpose of the company.
- Amazon leveraging its retail infrastructure to offer cloud services.
Complex change of this nature is typically achieved through a portfolio of projects with interdependencies or intersecting elements - a transformation programme. Whilst they require established change management capabilities, to be successful they also need strong collaboration, dynamic coordination of resources and compelling communication.
Insights
Internal audit is the department to turn to when embarking on a transformation journey; familiar with the organisation, expert advisors regarding risk and control, practiced at assimilating information not to mention a sense of humour when the going gets tough!
Chief audit executives (CAEs) have always seen internal audit as having an important role in the management of large program risks. Yet over the years PwC's annual global internal audit study has shown that stakeholders don't always agree with limited value being seen. Interestingly, organisations often struggle with major change agendas, so perhaps there is an expectation gap.
The 2023 report highlights the unifying force of internal audit, to help combine expertise across the organisation. A useful capability given the diverse nature of change programmes. Their research also highlights a need for internal audit to be more involved in strategic areas or risk becoming irrelevant.
Internal audit roles
A traditional style of auditing looks back at history for fact based evidence to support opinion, consequently, some chief audit executives may argue against involvement in a transformation programme in favour of pure assurance. The institute urges against this and recommends that internal audit look to balance assurance and consultancy activity to deliver maximum value to the organisation and the board.
It is usual for the first and second line to be heavily involved in any transformation activity due to their expertise which can lead to exposure over normal operations which internal audit need to be mindful of. When thinking about using internal audit resource for consultancy engagements CAEs must also consider the degree of objectivity demonstrated by second line specialists as they may be better placed to run risk workshops, advise on controls and educate third parties.
One of the challenges for internal audit is providing assurance in accordance with the dynamism of a transformation programme. Offering an audit opinion the day after a key milestone decision has been made is not only unhelpful and unprofessional but disruptive.
There are a number of relatively simple measures that CAEs can put in place to mitigate against this:
- Effective communication channels with programme co-ordinators, project leads and other key stakeholders as to milestones, meeting schedules etc.
- Appropriate resourcing and scoping of engagements to ensure they are achievable in the required timescale.
- Working with other assurance providers for efficiency to avoid duplication and control gaps, an assurance map is a useful tool early in the journey.
- Focus on evaluating the actual controls rather than taking time to plan expected controls.
Consultancy activity provides the opportunity for creativity and adding value although it does require internal audit to shift away from reporting on the past as is the case with traditional assurance and think about risk anticipation, looking to the future.
CAEs are well positioned to take an independent role at critical decision-making forums such as board meetings and steering groups. This should be a non-voting role with the remit of observing governance and providing constructive, insightful commentary on governance, risk and internal control to members. This also affords invaluable information for audit planning at a macro and micro level.
Assurance and/or consultancy engagements can be readily accommodated alongside other audit activity, it does not require a dedicated team, chief audit executives to manage resource efficiently, particularly as change activity often requires a degree of flexible planning. As with any change in the organisations risk profile that divert audit resource, CAEs must manage Board expectations by advising of material assurance gaps.
Additionally, if resource allows, it may be appropriate to consider seconding members of the team to the transformation programme to effect control design, identification and management of risk and governance principles on an ongoing advisory basis, in addition to undertaking specific engagements. Conversely, there may be opportunity for employees to be seconded into internal audit from the business to enhance operational skills/knowledge.
Suggestions for the audit plan
Transformation programmes, even those undertaken in agile environments rely on foundation principles and go through phases. There are many frameworks and models available from the different consultancy firms on the topic. However, for the purposes of this briefing we will focus on the generic themes of governance, strategy, design, execution and people.
Major programmes are rarely linear and a short-term rolling plan that combines flexibility with compliance, focusing on key risks and milestones may be more beneficial than trying to plan in advance for the lifetime of the programme.
The following suggestions are headline topics from which scoping documents could be developed specific to your transformation journey, organisational structure, hierarchy and methodology.
Governance
Assurance over:
- Governance framework for decision making and reporting.
- Design of financial controls, followed up with compliance reviews.
- Business continuity arrangements during the period of transformation.
- Risk management approach, followed up with compliance reviews.
- Vendor/partner management approach, followed up with compliance reviews.
Consultancy review of:
- Integrated assurance with the output being an assurance map incorporating all assurance providers and their role in the transformation programme.
If there is no dedicated risk function internal audit should:
- Consider supporting stakeholders in their risk identification and assessment approach to ensure robust risk management.
- Consider the rapid deployment of a risk training session for managers, not only could this prove invaluable for decision making (assessment) but also help individuals with their workload (prioritisation) as the day-to-day business activities will still need to be done along the transformation initiatives.
Strategy
Assurance over:
- Business case process and sign off.
- Risk identification approach.
- Stakeholder engagement.
- Selection and use of expert advice.
- Alignment of approach with strategic intent.
- Decision making forums.
- Benefits management approach.
- Benefits management realisation the end of individual projects or the programme as a whole.
Consultancy review of:
- The target operating model utilising business knowledge.
- Internal audit insight for areas of high risk, known control weaknesses and interdependencies.
People
Assurance over:
- Stakeholder management including identification, engagement and communication.
- Training plans including budget, timing, expert resource, suitability, follow up.
This could be repeated/adapted at various stages throughout the journey.
Consultancy review of:
- Readiness for change incorporating culture, people and processes.
This should be repeated at various stages throughout the journey:
- HR policies and their alignment to post-transformation culture.
Design
Assurance over:
- Vendor/partner selection process.
- Information and data security during transformation process.
- Inclusion of regulatory and compliance obligations.
- Programme administration including resourcing, competency and tools to ensure management alignment of individual initiatives to strategic vision, dependencies, defined benefits with measures, achievable milestones.
Assurance and/or consultancy review of:
- Test plan creation including completeness, stakeholder engagement, timeliness etc.
Consultancy and/or assurance over:
- ‘To-be’ processes to influence effective control design.
Execution
Assurance over:
- Test plan execution and remedial activities.
- Data security including access post-transformation.
Consultancy and/or assurance over:
- The management of data including cleansing, transfer, archive and obsolescence.
- Consultancy review of transition from project state to new business-as-usual.
Review
Assurance over:
- Change process including utilisation of new processes/systems, end user acceptance and culture.
- Benefit realisation.
- Assessment of deployment (adaption) and performance against defined measures.
This may be a rolling audit over months or years after the completion of initiatives.
Consultancy review of:
- Lessons learned, potentially facilitated by internal audit.
Sector convergence
The transformation revolution is all pervasive, although the actual drivers of change themselves and their desired outcomes may differ. Or do they?
As with extreme catwalk fashion and the clothes we see on the high street, disruptive innovations invariably affect society; think mobile phones, personal computers, discount supermarkets and now artificial intelligence, internet of things and 3D printing.
Since the 2008 financial crisis, continual regulatory reform has affected the financial services industry. The same driver also led to the age of austerity that troubles the public sector and the recession keenly felt in the private and charity sectors too. The same change agent with the same consequences of cost efficiency, transparency and restructuring although expressed using different language.
Is customer centricity in the private sector any different to that in the public/charity sector with a focus on outcomes or the concept of treating customers fairly in financial services? Where the private sector measures project benefit through return on investment the public sector could look at the same measure as return to taxpayer and charities as return on funding. In essence all sectors are seeking answers to very similar questions.
The nature of transformation programmes will vary between sectors due to budgets, resource and the initiatives themselves. Regulatory reform for example is not only changing processes but seeking to change behaviours at the heart of the financial services industry. Whilst it is important to recognise differentials, it is equally beneficial to consider ways in which learnings and approaches pollenate across sectors.
In financial services the three lines of defence is a familiar operating model and ensures that clarity of accountability remains during periods of change. Transferring this learning to programme management could be useful during periods of change to ensure accountability for risk ownership is clearly understood and personalised at all levels across organisations. The government digital service maintains a public-sector standard for the design, build and purchase of technology. Change consultants working predominantly in the private sector share a wealth of information regarding their frameworks, case studies and ways of working. All of this is freely available to adapt and learn from rather than start from a blank page.
In a world of flux there are few organisations that will be unaffected by the driving forces for transformational change. The caterpillar has no awareness of is limited capability to fly and has no choice in its evolution to becoming a butterfly. Chief audit executives have a choice in how they respond to their organisations transformation potential.
Stakeholder conversation thoughts for chief audit executives
These are generic questions designed to prompt thoughts. They are not designed to be used as an interview checklist.
Consideration must always be given to existing relationships, culture and knowledge base when preparing for stakeholder conversations.
Generic
- How will you feel assured that everything at a detail level is happening as you expect/have been led to believe it should happen?
- Have you experienced this type of change before?
- Which aspects do you see as the quick wins, the easiest to deploy?
- Where do you see the biggest challenges?
- Internal audit has a range of skills in this field, how do you think we can best support the business through this period?
Audit committee chair
- Which areas of the transformation concern you the most?
- Do you think the risk profile for the business is appropriate - are management too confident, too cautious? Is risk appetite sufficiently defined for this period of volatility?
- Have you experienced this type of change before?
- What styles of assurance reporting will serve you best during this process?
- Do we need to increase the frequency of our communication?
- Which areas of business as usual would you not want us to lose sight of?
Answers may help to inform thinking. Think about any amendments to the internal audit charter and perhaps short term amends to the audit committee charter or terms of reference, also budgets, skills gap, potential co-sourcing arrangements and extended assurance gap due to transformation work.
Chief information officer
- Does the business know its requirements or is it being shaped by technical capabilities?
- What resourcing issues could this present to your team?
- Who are the leaders in this field or are we breaking new ground with the technology we are planning to use?
- How well is the business future-proofing its vision?
- How will this programme affect our information security threat profile?
- What does the employee capability gap look like between today and the future vision?
Consider how transformation may impact projects already in progress.
Chief executive officer
- In which ways do you see our culture being both a barrier to change and also a catalyst?
- Do you think that the project/programme may have a long-term impact on the culture either positively or negatively?
- What level of performance disruption are you willing to tolerate during this period?
- Where do you see the business five years after this programme?
- How comfortable are you that the risks associated with the transformation have been identified and assessed?
- Which aspects of the new risk profile concern you the most?
When discussing risks think about the opportunities not just the threats.
HR director
- Where do we have depth of talent to cope with this level of change?
- How are you planning to backfill where talent is transferred permanently to transformation initiatives?
- What are the areas where we have least resource flexibility?
- How adaptable do you this we are as an organisation? Which behaviours will support or hinder this fundamental change?
- Who do you see as our change agents among the board and senior management?
Transformation programme lead
The context of questions will differ depending on whether the lead has been recruited specifically as an experienced programme manager or is an internal promotion/secondment into the role.
- If recruited. What do you understand to be the drivers for this change?
- If recruited. What are the top five things you’ve learnt from when things haven’t gone as planned?
- If internal. What change projects have you managed before?
- Where do you see the biggest challenges?
- What type of tools are you planning to use to manage the programme?
- How would you describe risk to a new project manager?
- What do you see as the cultural challenges that we face going into this journey?
This is a key stakeholder relationship for internal audit insight and will be an important factor in determining the extent and nature of consultancy activity.
"Just when the caterpillar thought the world was over it became a butterfly"
Old English proverb
Further reading
The IIA: Risk in focus: Hot topics for internal audit 2018
Deloitte: State of the internal audit profession 2012
Deloitte: 2016 Global Chief Audit Executive Survey
Gartner: Audit hot spots for 2018